Payroll is a major part of HR responsibilities. Your employees rely on you to receive their paychecks in a timely, convenient manner on a regular basis, pay cycle after pay cycle. Often, the easiest way to handle this process—for company and employee alike—is through direct deposit, which automatically transfers a paycheck from the company to the employee’s personal bank account.
Direct deposit literally has to function like clockwork—which means that when a change is made to the way your HR team processes a particular employee’s payment information, that change has to be handled will full accuracy, and as soon as possible. People are counting on it.
But new scams are taking advantage of that well-intended expediency.
With increasing frequency, scammers have been using dummy email accounts to try to trick HR personnel in to making changes to employees’ direct deposit information in order to send payments to the wrong bank account—thereby effectively stealing from the company and the employee alike.
Here’s how it goes: Your company’s HR personnel receive an email that appears to be from a member of your own executive staff—someone in charge of payroll, or even the CEO or CFO. The body of the email introduces an urgent need to update the apparent sender’s direct deposit information.
The email is brief and well composed, with a fluent, professional tone that allows it to slip past your company’s spam filters as well as, in some cases, your HR staff’s own best judgment. It doesn’t blatantly demand confidential information—a request that would immediately be a red flag to the reader—but simply asks for a reply. Eventually, the sender shares a new bank account number, to which future payments should be directed. It seems like an innocent enough request. After all, it’s in this employee’s best interest to have their paycheck sent to the correct account, right?
By opening a dialogue, the scammer can further convince the HR personnel of the email’s validity, earning enough trust to make the fraudulent changes to the payroll information.
While the amount of a paycheck or two seems like small potatoes compared to the financially crippling potential of bigger fraud schemes, this type of “phishing”—sending fake emails in an attempt to reel in vulnerable parties—is also relatively easy to execute. Using free email services and company information that’s readily available on the internet, the scammers create a fake email that displays, as its username, the name of a member of the company. The familiar sight of a coworker’s name on an email is often the foot in the door they need.
Fortunately, it’s also a relatively easy scam to avoid, provided you maintain awareness of it. Here are three simple ways to protect your payroll from being compromised.
- Use common sense. While payroll services are an everyday reality of HR procedure, everyone in your company should be aware of their importance. Your CEO isn’t going to treat this kind of change so casually as to conduct it entirely through email.
- Check email addresses, not just display names. The email may appear to come from your chief information officer, say “Samuel Lowry,” and you would assume that it’s Mr. Lowry’s company account. But, in the case of a phishing scheme, the actual email address will be something like, “firstname.lastname@example.org.” (For this reason, too, employees and executives especially should be discouraged from handling business matters over personal email accounts, to cut down on confusion and potential fraud.)
- Always receive spoken confirmation. Don’t make any changes to an employee’s payroll information until you have spoken to that person face-to-face or over the phone. It’s a simple, low-tech way to know you’re corresponding with the right person.